Systems and Methods For Packet Spreading Data Transmission With Anonymized Endpoints

ABSTRACT

A packet-spreading data transmission system with anonymized endpoints facilitates enhanced fortified private communications between a plurality of arbitrary devices via a plurality of communication channels or networks. The data transmission system receives at a source endpoint device a message of arbitrary length. The message includes a destination address associated with a destination endpoint device. Both source endpoint device and the destination endpoint device are selected from a plurality of arbitrary devices. The received message are fragmented and agilely transmitted, via a plurality of communication channels, from the source endpoint device to the destination endpoint device.

CROSS REFERENCE TO RELATED APPLICATIONS

This U.S. application is a Continuation Application of and claimspriority of U.S. application Ser. No. 17/341,321 (Attorney DocketKIR-1801-C1), filed on Jun. 7, 2021, entitled “Systems and Methods ForPacket Spreading Data Transmission With Anonymized Endpoints”, whichapplication is incorporated herein in its entirety by this reference.

This U.S. application is also a Continuation Application of and claimspriority of U.S. application Ser. No. 16/039,243 (Attorney DocketKIR-1801-US), filed on Jul. 18, 2018, entitled “Systems and Methods ForPacket Spreading Data Transmission With Anonymized Endpoints”, now U.S.Pat. No. 11,082,408, issued Aug. 3, 2021, which claims the benefit ofU.S. Provisional Application No. 62/535,206, filed on Jul. 20, 2017,entitled “Systems and Methods For Packet Spreading Data TransmissionWith Anonymized Endpoints” which applications are incorporated herein intheir entirety by this reference.

BACKGROUND

The present invention relates to computer data security and, inparticular, to a systems and methods for dramatically improved securityand privacy of data packets traveling through open networks.

Given the combination of global network connectivity, exponential growthin the number of network accessed devices and databases, Moore's Lawcontinually driving down computing cost and increasing computationaldensity, and the rapidly looming realization of quantumcomputing—government, commercial and personal communications arethreatened in a way that was perhaps inconceivable only a few years ago.

Rogue actors, e.g., encryption crackers or malicious hackers, pose athreat in the cyber realm for any device connected to a network. It isnot hard to conceive the potential threat of mass hacking of the cominggeneration of autonomous cars, trucks, aerial vehicles, industrialrobots, home robots, and smart appliances. Increasingly, our world andour lives depend on our ability to protect sensitive data andcommunications.

Recent cyber attacks such as the massive disruption of Ukraine's powergrid in 2015, the hacking of Democratic National Committee emails in2016, and the 2017 global ransom-ware attacks make it plainly clear ofthe wide ranging risks to any user active in cyber-space.

It is therefore apparent that an urgent need exists for improvedsecurity and privacy of data packets traveling through open networks.

SUMMARY

In accordance with the present invention, data packets to be deliveredthrough an open network, such as the Internet, are encrypted andpseudo-randomly divided across numerous sub-packets, each of whichtravels through a separate communications channel, to a respectiveobscured address. The sub-packets are all delivered to a single endpointsystem, which then decrypts the sub-packets, reassembles the sub-packetsto reconstruct the original encrypted packet, and decrypts the encryptedpacket to reconstruct the original packet.

Splitting a data packet into multiple sub-packets and sending thosesub-packets through different channels produces benefits similar tothose produced in the non-analogous art of frequency spreading in radiotransmission. Included in these benefits are Low Probability ofDetection (LPD), Low Probability of Intercept (LPI), and Low Probabilityof Exploitation (LPE).

Splitting a data packet into multiple sub-packets allows the sub-packetsto hide amongst other data packets traveling through the endpoint systemcontemporaneously. In addition, data from multiple sources can becommingled in sub-packets. Such disguises the sub-packets, providing alow probability of detection.

By sending the sub-packets over different communications channels, e.g.,between different phantom addresses associated with the involvedendpoint systems through reverse proxy, an adversary must collectpackets from countless communications channels to intercept the entiretyof a single original packet.

Even if an adversary manages to intercept the entirety of a data packet,the manner in which the original data packet is split into sub-packetsis highly randomized and cryptographically secure. Accordingly, thespreading of data packets in accordance with the present inventionprovides a low probability of exploitation.

Note that the various features of the present invention described abovemay be practiced alone or in combination. These and other features ofthe present invention will be described in more detail below in thedetailed description of the invention and in conjunction with thefollowing figures.

BRIEF DESCRIPTION OF THE DRAWINGS

In order that the present invention may be more clearly ascertained,some embodiments will now be described, by way of example, withreference to the accompanying drawings, in which:

FIG. 1 illustrates an exemplary embodiment of an Ecosystem forpacket-spreading encrypted data transmission system(s) with anonymizedendpoint systems, in accordance with the present invention;

FIG. 2 is a transaction flow diagram illustrating transmission betweenendpoint systems of FIG. 1 in accordance with the present invention;

FIG. 3 is a logic flow diagram illustrating a step of FIG. 2 in greaterdetail;

FIG. 4 is a logic flow diagram illustrating a step of FIG. 2 in greaterdetail;

FIG. 5 is a block diagram illustrating an endpoint system of FIG. 1 ingreater detail; and

FIG. 6 is a block diagram illustrating endpoint security data of FIG. 5in greater detail.

DETAILED DESCRIPTION

The present invention will now be described in detail with reference toseveral embodiments thereof as illustrated in the accompanying drawings.In the following description, numerous specific details are set forth inorder to provide a thorough understanding of embodiments of the presentinvention. It will be apparent, however, to one skilled in the art, thatembodiments may be practiced without some or all of these specificdetails. In other instances, well known process steps and/or structureshave not been described in detail in order to not unnecessarily obscurethe present invention. The features and advantages of embodiments may bebetter understood with reference to the drawings and discussions thatfollow.

Aspects, features and advantages of exemplary embodiments of the presentinvention will become better understood with regard to the followingdescription in connection with the accompanying drawing(s). It should beapparent to those skilled in the art that the described embodiments ofthe present invention provided herein are illustrative only and notlimiting, having been presented by way of example only. All featuresdisclosed in this description may be replaced by alternative featuresserving the same or similar purpose, unless expressly stated otherwise.Therefore, numerous other embodiments of the modifications thereof arecontemplated as falling within the scope of the present invention asdefined herein and equivalents thereto. Hence, use of absolute and/orsequential terms, such as, for example, “always,” “will,” “will not,”“shall,” “shall not,” “must,” “must not,” “first,” “initially,” “next,”“subsequently,” “before,” “after,” “lastly,” and “finally,” are notmeant to limit the scope of the present invention as the embodimentsdisclosed herein are merely exemplary.

In accordance with the present invention, data packets to be deliveredthrough an open network, such as the Internet, are encrypted andpseudo-randomly divided across numerous sub-packets, each of whichtravels through a separate communications channel, sometimes referred toherein as a “stream”, to a respective obscured address. The sub-packetsare all delivered to a single endpoint system, e.g., endpoint system B180 (FIG. 1 ), which then decrypts the sub-packets, reassembles thesub-packets to reconstruct the original encrypted packet, and decryptsthe encrypted packet to reconstruct the original packet.

The techniques for securing data packets produces benefits similar tothose produced in the non-analogous art of frequency spreading in radiotransmission. Included in these benefits are Low Probability ofDetection (LPD), Low Probability of Intercept (LPI), and Low Probabilityof Exploitation (LPE).

Transmitted radio signals can achieve very low probability of detectionby various signal encoding and frequency spreading techniques, even soas to lower the observable radio energy to levels below the backgroundnoise floor. Because digital communications have no inherent noise floorin the sense of radio's cosmic background radiation, the act ofcommunication cannot be hidden this same way. What can be done, and whatthe features outlined herein explain, are ways to attain similarobscurity in the digital realm where packet traffic is entirelydetectable by an adversary.

A second virtue of spread spectrum transmission of radio signals is thatan adversary who manages to detect transmissions finds the multitude ofrapidly changing transmission frequencies to be a technical barrier tointerception (LPI). This is a subtle and significant aspect worthy ofcareful understanding. It is more difficult for the user's radio to hopfrom frequency to frequency. Fortunately, the complexity of code-drivendynamic frequency selection is moderate—it is perhaps 10× or 100× morework to build radios using thousands or millions of frequencies. Theeavesdropping effort for the adversary, however, is proportional to thenumber of possible frequencies, which might be a thousand or millionrather than one. This asymmetry is a double virtue—the data is very hardfor an adversary to capture and it is much harder proportionally for theadversary to capture than the owner to send and receive.

In a manner described more completely below, endpoint system A 150spreads incoming packets into a multiplicity of smaller sub-packets andsends these through different communications channels, e.g., todifferent IP addresses. By using reverse proxy, it is possible to havethousands of phantom addresses among which the spread sub-packets ofmany parallel communications are sent. Though thousands or tens ofthousands of such IP addresses are fewer than millions of tunable radiofrequencies, it has the same asymmetric dynamic versus an adversary—theadversary must capture data sent to many times the number of destinationaddresses in order to have any hope of intercepting a decodablecommunication.

The third aspect of spread spectrum is that a dedicated adversary whohas managed to detect a spread transmission and record its many tendrilsmust also reassemble the conversation in much the same way as“unshredding paper” (LPE). While maximizing information security in thisarea was quite difficult for analog-era radios, in our digital networkcontext, this problem is readily addressed by digital data encryptiontechniques. Even so, the benefit of highly skewed asymmetric cost/effortadvantage mentioned previously motivates several features in endpointsystems A 150 and B 180 to make exploiting packet data highlyimpractical. These features are described below.

The intrinsic security of such an ecosystem begins with truly privatecommunication—between arbitrary devices, across open networks, and evenapplication to application. This privacy combines the strength of dataencryption, benefits of spread spectrum radio (low probabilities ofdetection, interception, and exploitation), defenses against trafficanalysis in packet-switched networks, and mechanisms against attacks byfull-knowledge insiders and unbounded-computation outsiders. This isdone without change to installed systems—unparalleled protection with nooperational complexity.

The incorporation of validated data encryption (AES-256/GCM, SPECK,SIMON) and hash techniques (SHA-256/512, SHA3-256/512) additionallyenhances secure information management. These are valuable elements incommunication encryption, but they cannot per se provide communicationprivacy. In other words, while validated data encryption and hashtechniques are valuable for communication privacy, there are notsufficient for communication privacy. This greater goal requiresfrustrating adversarial traffic analysis, hampering adversarial captureof data in flight, and as much as possible, hiding the very act ofcommunication from an adversary.

As described more completely herein, endpoint systems A 150 and B 180deliver communication privacy by using trusted security elements in aframework inspired by spread-spectrum radio technology. So inspired, we(i) fuse packet from and to address pairs to define a distinctcommunications channel as an analogy to a single frequency and (ii)encrypt and spread packets across a range of such communicationschannels, with phantom sub-packet header addresses to obscure theoriginal endpoints. These steps, along with further processing describedherein, assure private communication across untrusted networks.

Architecture—Functional Overview As described in greater detail belowwith respect to logic flow diagram 204 (FIG. 3 ), the basic sendingfunction of an Endpoint system is to receive packets from devices,encrypt, and spread the encrypted bits to sub-packets, which are thenencrypted and assigned packet headers that obscure the originalendpoints. The resulting sub-packets are sent to phantom addresses thatreverse proxy to an Endpoint at the destination. As described in greaterdetail below with respect to logic flow diagram 208 (FIG. 4 ), the basicreceiving function for packets from other Endpoint devices reversesthese processing steps: sub-packets are gathered, decrypted, andvalidated, the cohort is “unspread,” decrypted and validated. Thereconstructed original packet is then output from the device-side of theEndpoint system.

FIG. 1 illustrates an exemplary Ecosystem 100, in accordance with oneembodiment of the present invention. The device side of an endpointsystem is its “outer side”; the network side between endpoints is its“inner side”. Many devices can be on the outer sides, so N devices A₁,A₂, . . . A_(N) (e.g., protected devices 111-119) and M devices B₁, B₂,. . . B_(M) (e.g., protected devices 191-198) at endpoints A and B(e.g., Endpoint system A 150 and Endpoint System B 180, respectively),create completely private communication between the M*N pairs of deviceson the outer sides of the endpoint systems. Multiple networks can beused on the inner sides (e.g., Feeder Network(s) A 140 and FeederNetwork(s) B 160) as well as on the outer sides (e.g., Wide-AreaNetwork(s) (WAN) 170) of the endpoint systems, by direct networkattachment or by ordinary routing mechanisms.

Note the terms “protected device”, “protected system”, “outer sidedevice”, and “outer side system” may be utilized interchangeably andrefer to a computerized and network connectable system devised orintended in part for automated operation composed of hardware (e.g.,processor, memory, sensors and input/output devices) and programmedinstructions for operation (e.g., software, firmware, microcode). Aprotected device can, for example, be a ‘smart device’ such as augmentedreality display goggles connected to a network of other computerizedsystems. In some embodiments, a ‘protected device’ or ‘outer sidedevice’ can refer to a virtual device composed of a system(s) ofinterconnected devices, wherein communication from such a system(s) ofinterconnected devices with other separate external device(s) orsystem(s) may be protected by an endpoint.

Illustrative arbitrary devices 111-119 and 191-199 in FIG. 1 provideexamples of such protected devices. Protected devices can include, forexample: digital home devices (e.g., smart thermostat 111); satelliteenabled devices (e.g., GPS guidance system 112); semi-autonomous,autonomous, and remote controlled vehicles (e.g., aerial drone 113);commercial and personal computer systems (e.g., laptop computer 119);body-attached or body-embedded computerized devices (e.g., smart watches191); mobile devices (e.g., tablet computer 192); network access devices(e.g., WIFI router 193); and remotely accessed devices and sensors(e.g., satellite 199). These are just a few illustrative examples. Anycomputerized device with a network connection can be a protected device.

Processing Example To explain basic Endpoint processing, let's trace apacket from device to network through this structure as illustrated intransaction flow diagram 200 (FIG. 2 ). In the illustrative example oftransaction flow diagram 200, a data packet is sent from device 111 todevice 191 through endpoint systems A 150 and B 180. Though the stepsare described sequentially, implementation is actually concurrent.

In step 202, an input packet is received by endpoint system A 150 from adevice-side network connection, e.g., from device 111.

In step 204, which is described below in greater detail in conjunctionwith logic flow diagram 204 (FIG. 3 ), endpoint system A 150 splits theinput packet into S sub-packets and sends those sub-packets, eachthrough a respective communications channel, to endpoint system B 180.This is illustrated as steps 206A-S.

In step 208, which is described below in greater detail in conjunctionwith logic flow diagram 208 (FIG. 5 ), endpoint system B 180 joins thesub-packets to reconstruct the packet as encrypted by endpoint system A150 and decrypts that packet to reconstruct the packet as it wasoriginally received by endpoint system A 150 in step 202.

Step 204 is shown in greater detail as logic flow diagram 204 (FIG. 3 ).In step 302, endpoint system A 150 receives a data packet, e.g., fromdevice 111 (FIG. 1 ) in this illustrative example. In step 304 (FIG. 3), endpoint system A 150 records source and destination addresses fromthe packet, since encrypting the packet in step 306 will obscure thoseaddresses and the sub-packets must still travel toward the originaldestination of the packet.

In step 306, endpoint system A 150 encrypts the packet. The encryptionof step 306 is sometimes referred to as the outer encryption because theencryption relates to the outer-, device-side of endpoint system A 150.In this illustrative embodiment, this outer encryption is the knownAES-256 encryption technique in Galois/Counter Mode (GCM). AES-256 andGCM are known and are not described herein. The key used in outerencryption, i.e., the outer key, can be a single key used by allendpoint systems when communicating with one another or can be specificto each endpoint system or to each pair of endpoint systems.“AES256:32Bytes567890123456_OUTER” is an illustrative example of anouter key shared by endpoint systems A 150 and B 180.

In step 308, endpoint system A 150 determines a number of communicationschannels among which to divide the encrypted packet. The number ofchannels can be predetermined and fixed or can be determined accordingto one or more characteristics of the encrypted packet. In oneillustrative embodiment, endpoint system A 150 selects a number ofchannels such that the encrypted packet, when divided into that numberof sub-packets, results in sub-packets having sizes that are no lessthan a predetermined minimum sub-packet size and no more than apredetermined maximum sub-packet size.

In step 310, endpoint system A 150 assigns each bit of the encryptedpacket to one of the sub-packets using a reversible selection mechanism,such as a seeded pseudo-random number generator. Using the same seededpseudo-random number generator, endpoint system B 180 can divine whichposition within a whole packet each bit of each sub-packet belongs.

In embodiments described more completely below, endpoint system A 150can employ any of a number of techniques in step 310 to further obscurethe substantive, payload data in the various sub-packets, such as bitinsertion and stream interdependence, for example.

After step 310, each of the sub-packets includes all the bits of itsintended data payload. Loop step 312 and next step 324 define a loop inwhich endpoint system A 150 processes each of the sub-packets accordingto steps 314-322. During a particular iteration of the loop of steps312-324, the particular sub-packet processed by endpoint system A 150 issometimes referred to as the subject sub-packet in the context of logicflow diagram 204.

In step 314, endpoint system A 150 finalizes the last bit of the datapayload of the subject sub-packet.

In step 316, endpoint system A 150 addresses the subject sub-packetusing source and destination addresses recorded in step 304. Inparticular, since the packet originates on the device side of endpointsystem A 150, the FROM: address for the subject sub-packet is an addressof endpoint system A 150. Since the packet is destined for device 191 onthe device side of endpoint system B 180, the TO: address for thesubject sub-packet is an address of endpoint system B 180.

In this illustrative embodiment, endpoint systems A 150 and B 180 areeach associated with a plethora (e.g., thousands or even tens ofthousands) of IP addresses, e.g., each through one or more reverse proxyservers. Also in this illustrative embodiment, a communications channelbetween endpoint systems A 150 and B 180 is defined by a pair ofaddresses: one associated with endpoint system A 150 as the source andone associated with endpoint system B 180 as the destination.

In step 318, endpoint system A 150 encrypts the subject sub-packet. Theencryption of step 318 is sometimes referred to as inner encryption,using an inner key. In step 320, endpoint system A 150 finalizes thesubject sub-packet, including adding GCM verification data.

In step 322, endpoint system A 150 sends the finalized sub-packetthrough WAN 170 as addressed in step 316. Each performance of step 322is represented by a respective one of steps 206A-S (FIG. 2 ).

Once endpoint system A 150 has processed all sub-packets according tothe loop of steps 312-324, processing according to logic flow diagram204, and therefore step 204 (FIG. 2 ), completes.

As described above, endpoint system B 180 joins the received sub-packetsand decrypts the joined packet in step 208 (FIG. 2 ). Step 208 is shownin greater detail in logic flow diagram 208 (FIG. 4 ).

Loop step 402 and next step 410 define a loop in which endpoint system B180 processes the sub-packet of each channel according to steps 404-408.During a given iteration of the loop of steps 402-410, the particularsub-packet processed by endpoint system B 180 is sometimes referred toas the subject sub-packet in the context of logic flow diagram 208.

In step 404, endpoint system B 180 receives the subject sub-packet. Instep 406, endpoint system B 180 verifies that the subject sub-packet asreceived is complete and error-free using the GCM verification data ofthe subject sub-packet. In step 406, endpoint system B 180 decrypts thesubject sub-packet, i.e., applies the reverse of the inner encryptionapplied by endpoint system A 150 in step 318 (FIG. 3 ).

Once endpoint system B 180 has processed all sub-packets according tothe loop of steps 402-410, processing transfers to step 412.

In step 412, endpoint system B 180 joins the decrypted sub-packets toreconstruct the encrypted packet formed by endpoint system A 150 in step306 (FIG. 3 ). The joining is the reverse of the splitting of bits ofthe encrypted packet as described above with respect to step 310,including reversal of any techniques described below such as bitinsertion and stream interdependence.

In step 414 (FIG. 4 ), endpoint system B 180 decrypts the reconstructedencrypted packet, applying the outer encryption techniques and the outerkey used by endpoint system A 150 in step 306 (FIG. 3 ). The result ofstep 414 (FIG. 4 ) is an accurate reproduction of the packet received byendpoint system A 150 in step 302 (FIG. 3 ), including the originalsource and destination addresses in its headers. In step 416 (FIG. 4 ),endpoint system B 180 sends the packet to its destination, e.g., device191 (FIG. 1 ).

The following example illustrates the secure, spread spectrumtransmission from endpoint system A 150 to endpoint system B 180. Forour input “packet,” we will use Lord Byron's timeless poem, She Walks inBeauty, to illustrate the transformation of each Endpoint encoding step:

She Walks in Beauty—by George Gordon, Lord Byron

She walks in beauty, like the nightOf cloudless climes and starry skies;And all that's best of dark and brightMeet in her aspect and her eyes;Thus mellowed to that tender lightWhich heaven to gaudy day denies.One shade the more, one ray the less,Had half impaired the nameless graceWhich waves in every raven tress,Or softly lightens o′er her face;Where thoughts serenely sweet express,How pure, how dear their dwelling-place.And on that cheek, and o′er that brow,So soft, so calm, yet eloquent,The smiles that win, the tints that glow,But tell of days in goodness spent,A mind at peace with all below,A heart whose love is innocent!

An exemplary step-by-step encoding process described above isillustrated by Appendix A. At page 1 of Appendix A, the data payload ofthe packet received in step 302 (FIG. 3 ) is shown under the heading,“read 702 input bytes from file walk.txt”.

The results of outer encryption by endpoint system A 150 in step 306 isshown at page 2 of Appendix A.

Pages 3-4 of Appendix A show the encrypted packet divided into eight (8)sub-packets, each encrypted with inner encryption and with added GCMverification data.

Page 5 of Appendix A shows the same eight (8) sub-packets received byendpoint system B 180. Page 6 of Appendix A shows the sub-packets afterinner decryption by endpoint system B 180. Page 7 of Appendix A showsthe reconstructed encrypted packet resulting from step 412 (FIG. 4 ) byendpoint system B 180.

Inspection shows that the 702-byte poem grows to 857 bytes whenencrypted and spread 8 ways to form the encrypted sub-packets. This155-byte (22%) expansion represents verification data added by the GCMchosen for both inner and outer encryptions, and, by up to 7 random bitsper stream—8 streams in this case—used as padding for partial finalbytes after spreading in step 314 (FIG. 3 ). This overhead is roughlyfixed irrespective of packet size; for a 64 kb input packet, this155-byte expansion is a slight 0.2365% overhead.

Endpoint systems A 150 and B 180 can operate in any of a number of modesin device-side communications.

Invisible mode is the default mode in this illustrative embodiment. Ininvisible mode, endpoint system A 150 can serve a large network ofdevices with no special participation by the devices involved, whichmeans that it is “invisible” to its clients while offering a large suiteof privacy and security benefits. Devices, e.g., devices 111-119 (FIG. 1), operate exactly as they currently operate in conventional networks,with no changes to configuration or behavior.

In this mode, endpoint system A 150 examines packet destinationaddresses to see if they match specified addresses or are withinspecified ranges of addresses that are known by endpoint system A 150 tobe served by another endpoint system. See, e.g., IP addresses 608 (FIG.6 ) of a peer record 604 described below. If there is a match, endpointsystem A 150 processes the packet in the manner described above withrespect to FIG. 3 . The resulting sub-packets are sent to phantomaddresses at the destination, where they are automatically routed to anendpoint system such as endpoint system B 180, which receives andprocesses the sub-packets in the manner described above with respect toFIG. 4 . In this way, any two devices, e.g., devices 111-119 and191-198, connected to WAN 170 through endpoint systems as describedherein gain full communication privacy protection between each otherwithout awareness or change to any computer, software, or networkequipment.

Visible mode is an optional mode in this illustrative embodiment.Despite the convenient operational advantages of invisible mode, thereare additional benefits to be gained in cases where circumstances allowsecurity or programming staff to configure systems to proactivelyinteract with the endpoint system directly.

Suppose, for example, that feeder network A 140 is not entirely trusted.Communications between devices 111-119 and endpoint system A 150 wouldbe vulnerable to detection, interception, and exploitation. To addresssuch a vulnerability, endpoint system A 150 can be made “visible”, i.e.,its presence made known to devices 111-119, and devices 111-119 can beconfigured to communicate with endpoint system A 150 using only securecommunications, such as a known SSL connection. In this secureA-to-Endpoint arrangement, the device can communicate securely withendpoint system A 150, and then through endpoint system A 150, to anydevice beyond another endpoint system. Exclusive use of securecommunications between the device and endpoint system A 150 both (i)obscures the data exchanged therebetween and (ii) obscures metadataspecifying the purpose and intent of the data. For example, if anadversary intended to attack a device attached to feeder network A 140that performs a particular service (e.g., a database server serving highvalue data), use of SSL communications between the device and endpointsystem A 150 hides the identity of the device as one that performs thatparticular service.

Endpoint system A 150 is shown in greater detail in FIG. 5 . Endpointsystems A 150 and B 180 are analogous to one another and description ofone is equally applicable to the other unless otherwise noted herein.Endpoint system A 150 includes one or more microprocessors 502(collectively referred to as CPU 502) that retrieve data and/orinstructions from memory 504 and execute retrieved instructions in aconventional manner. Memory 504 can include generally anycomputer-readable medium including, for example, persistent memory suchas magnetic and/or optical disks, ROM, and PROM and volatile memory suchas RAM.

CPU 502 and memory 504 are connected to one another through aconventional interconnect 506, which is a bus in this illustrativeembodiment and which connects CPU 502 and memory 504 to one or moreinput devices 508, output devices 510, and network access circuitry 512.Input devices 508 can include, for example, a keyboard, a keypad, atouch-sensitive screen, a mouse, a microphone, and one or more cameras.Output devices 510 can include, for example, a display—such as a liquidcrystal display (LCD)—and one or more loudspeakers. Network accesscircuitry 512 sends and receives data through computer networks such asfeeder network A 140 (FIG. 1 ) and WAN 170. Generally speaking, servercomputer systems and network nodes often exclude input and outputdevices, relying instead on human user interaction through networkaccess circuity such as network access circuitry 512. Accordingly, insome embodiments, endpoint system A 150 does not include input device508 and output device 510.

A number of components of endpoint system A 150 are stored in memory504. In particular, endpoint security logic 520 is all or part of one ormore computer processes executing within CPU 502 from memory 504 in thisillustrative embodiment but can also be implemented using digital logiccircuitry. As used herein, “logic” refers to (i) logic implemented ascomputer instructions and/or data within one or more computer processesand/or (ii) logic implemented in electronic circuitry.

Endpoint security data 522 is data stored persistently in memory 504 andcan each be implemented as all or part of one or more databases.

Endpoint security logic 520 causes endpoint system A 150 to behave asdescribed herein, including processing packets received from its deviceside as shown in FIG. 3 and processing packets received from its networkside as shown in FIG. 4 .

Endpoint security data 522 includes data that controls details of thebehavior specified by endpoint security logic 520, e.g., inner and outerkeys, the specific types of inner and outer encryption, and phantomaddresses of known endpoint systems. In particular, endpoint securitydata 522 is shown in greater detail in FIG. 6 .

Endpoint security data 522 includes peer data 602, which stores datathat is helpful in communicating with other endpoint systems in themanner described herein. In particular, peer data 602 includes a numberof peer records, such as peer record 604. In this illustrative example,peer record 604 stores data specific to endpoint system B 180 (FIG. 1 ).

Shared random data 606 is a collection of randomized bits shared betweenendpoint systems A 150 and B 180. In other words, endpoint system B 180stores an exact copy of shared random data 606 in a peer recordcorresponding to endpoint system A 150. IP addresses 608 stores acollection of IP addresses, all of which ultimately lead to the endpointsystem corresponding to peer record 604, e.g., endpoint system B 180 inthis illustrative example. Keys 610 stores data representing a number ofcryptographic keys used by endpoint system B 180 in the manner describedherein.

Beyond the description above of the behavior of endpoint systems A 150and B 180 in providing significantly improved communications security, anumber of implementation details can further improve such security.

As described above with respect to logic flow diagram 204 (FIG. 3 ), thesending endpoint system, e.g., endpoint system A 150, determines anumber of sub-packets into which to divide the packet in step 308. Thisnumber can be somewhat arbitrary. The cost, in terms of processingresources, to send a packet is proportional only to the size of thepacket and not the number of sub-packets into which the packet is split.Accordingly, there is little motivation to minimize the number ofsub-packets. What does increase with splitting a packet into sub-packetsis the number of extra bits used to finalize the last byte of eachsub-packet and the Galois/Counter Mode wrapper used to verifysub-packets after receipt, e.g., by endpoint system B 180. Each of thesecosts offers little motivation to minimize the number of streams as isexplained in discussions regarding Quality of Service and internalchannels further below.

When S number of streams are used, an adversary must capture each, mustdecrypt each, must merge bits of the streams in the proper order, andthen must decrypt the reconstructed stream properly. Without thekey/seed from which the pseudo-random number generator of steps 310(FIGS. 3 ) and 412 (FIG. 4 ) is initialized, the number of possiblearrangements is S^(b) wherein S is the number of streams and b is thelength of the packet received in step 302 in bits. S^(b) exceeds the keyspace of 256- and 512-bit keys for even the smallest messages when S ismuch larger than 1. That complexity grows exponentially in S, motivatinga larger number of streams.

Streams spread by the bit steering process (in step 310 as describedabove) are naturally independent. However, the streams can be made to behighly interdependent as described below in the description of StreamDependence. Interdependent streams cause adversaries anexploitation-complexity increase of at least S factorial (S!). For 32streams, this factor is 2¹¹⁷ and, for 64 steams, it is 2²⁹⁵, whichexceeds the square of the brute force key space attack effort forAES-128.

One additional feature of streams is that sub-packets can be aggregatedinto a single stream as desired. In other words, sub-packets can beassigned to streams in the same general manner in which packet bits areassigned to sub-packets in step 310, pseudo-randomly assigning more thanone sub-packet to some or all streams. This allows for a logical numberof streams greater than the physical number of streams. Normally theratio of sub-packets to streams is 1:1, i.e., one sub-packet per stream.But in cases where small packets are inefficient to transmit, wherefewer destination addresses are preferred, or where packet size is to betightly controlled, sub-packet aggregation allows a larger number oflogical streams to be merged into a smaller number of physical streams.

Another way in which an endpoint system can further obfuscate data insub-packets is Stream Order manipulation. Spreading an input packet ininput order, whether by bits or bytes, to the sub-packets has the effectthat no matter how randomly the data is spread between the sub-packets,the input packet order is kept in the sub-packets. For example, an inputof “abcdefgh” spread two ways might yield a random “aceg” and “bdfh”.But in each case, substream letters appear in the same transitive orderas input (a before c before e before g, for example). In the mannerdescribed above, it is not cleartext bytes that are shuffled, but bitsin a strongly encrypted cipher text. Yet, the same monotonicitypersists. For this reason, endpoint systems A 150 and B 180 support fairshuffles before spreading (step 310) and/or before inner encryption (instep 318). Such shuffling allows bits to appear out-of-order so thateach inner cyphertext byte could be dependent on any input byte.

In some embodiments, endpoint systems A 150 and B 180 implement StreamDependence. As described above with respect to logic flow diagram 208(FIG. 4 ), once device packet data is spread to sub-packets, thosesub-packets are generally processed independently. However, endpointsystems A 150 and B 180 can create cross-stream data interdependencies,increasing the burden of adversarial data analysis and exploitation.Examples of cross-stream data interdependencies include cross-streamfunctions and cross-stream exchanges.

Regarding cross-stream functions, any sub-packet can be replaced with aninvertible function of itself and other data. In particular, encryptionin step 318 (FIG. 3 ) can be replaced or augmented with any functionapplied to the data payload of the sub-packet so long as the functioncan be inverted in step 408 (FIG. 4 ) to recover the original sub-packetpayload. The primary goal in increasing cross-stream datainterdependence is not as much cryptographic strengthening as it isforcing an adversary to have data for all of the streams and theknowledge of function configuration, which present more than S factorialalternatives. With all interdependence processing nestled between innerand outer encryptions, overall cryptographic strength is not weakened.Yet, the key- and pair-dependent changes increase the effective blocksize to total message size, strengthening against cryptographic attack.

In the following illustrative example, endpoint system A 150 modifiesbytes of a sub-packet based on the values of bytes in other chosensub-packets in the manner illustrated by the following Go-language code:

for i := range stream[a] { // arbitrary streams a, b, c (1)  //arbitrary b offset  bByte := stream[b][(i + bOffset) % len(stream[b])] // arbitrary c offset  cByte := stream[c][(i + cOffset) %len(stream[c])]  // operators can be add, subtract, exclusive-or, ... stream[a][i] {circumflex over ( )}= bByte + cByte }

In source code excerpt (1), the order in which stream indices a, b, andc are chosen, whether they span a subset of streams or span streamsmultiple times, the value of positional offsets bOffset and cOffset, andthe operators (ADD, SUB, XOR, ROT) used to bind the streams togetherbyte-by-byte are key-driven choices. This interdependence function neednot be algebraic in nature. The substitution box of symmetric keyalgorithms is an able mechanism. In S-Box (Substitution Box) mode,endpoint system A 150 replaces data in stream a invertibly withreference to a substitution box whose input comes from a and anotherstream:

for i, aByte := range stream[a] { // arbitrary streams a, b (2)  //arbitrary offset  bByte := stream[b][(i + bOffset) % len(stream[b])] stream[a][i] = SBOX(aByte, bByte) }

In yet another embodiment, endpoint system A 150 draws from otherstreams or sources, permitting use of non-invertible, one-waysubstitutions:

for i := range stream[a] { // arbitrary streams a, b, c (3)  //arbitrary offset  bByte := stream[b][(i + bOffset) % len(stream[b])]  //arbitrary offset  cByte := stream[c][(i + cOffset) % len(stream[c])]  //operator can be add, subtract, exclusive-or, ...  stream[a][i]{circumflex over ( )}= SBOX(bByte, cByte) }

In other, alternative embodiments, endpoint system A 150 usespermutation operations, such as left and right circular shifts and anyof the 40,318 other 8-bit shuffles, to increase cross-stream datainterdependence:

for i, aByte := range stream[a] { // arbitrary streams a, b (4)  //arbitrary offset  bByte := stream[b][(i + bOffset) % len(stream[b])]  //rotate left  stream[a][i] = aByte<<(bByte&0×7) | aByte>>(8-(bByte&0x7) }

Regarding cross-stream exchanges, endpoint system A 150 can exchangedata in a given stream with data in other streams. While this mechanicalexchange is cryptographically simple, its position between encryptionsmakes it strong for our purpose. This data exchange can be driven by akeyed pseudo-random number generator as shown in the following Go sourcecode excerpt:

for i := range stream[a] { // arbitrary streams a, b (5)  j := (i +bOffset) % len(stream[b]) // arbitrary offset  If PseudoRandomBit( ) & 1{  // swap bytes   stream[a][i], stream[b][j] = stream[b][j],stream[a][i]  } }

The cross-stream exchange by endpoint system A 150 can also be driven bythe content of other streams, for example:

for i := range stream[a] { // arbitrary streams a, b, c, d (6)  //arbitrary offset  j := (i + bOffset) % len(stream[b])  // arbitraryoffset   cByte := stream[c][(i + cOffset) % len(stream[c])]  //arbitrary offset   dByte := stream[d][(i + dOffset) % len(stream[d])]  If cByte < dByte {   // swap bytes    stream[a][i],stream[b][j] =stream[b][i],stream[a][i]  } }

Whether by cross-stream functions or cross-stream exchanges or acombination of both, it is not the form of interdependence processingthat matters so much as its presence. When it is enabled, an adversarysuffers greater difficulty exploiting intercepted information.

Aside from encryption, an important attribute of privacy provided byendpoint systems A 150 and B 180 is that of communications privacy. Indigital networks, this goal implies resistance to traffic analysis. Onedimension of this resistance is obscuring the identity of communicationendpoints. Since the IP addresses of packets in transit through opennetworks are easily observed, endpoint systems A 150 and B 180 replacethe actual FROM: and TO: addresses of TCP/IP packets with phantom packetendpoint addresses.

Phantom addresses in this context are IP addresses not associated withphysical devices, but are IP addresses in the addressing scheme ofnetworking hardware to which the device attaches. Preferably, reverseproxy configuration is used to redirect packets matching certainaddresses or address ranges to a physical endpoint system. For example,a hundred or thousand local IP addresses may be sent to each of endpointsystems A 150 and B 180, and each can accept packets sent to any ofthese addresses. Similarly, the FROM: address can be modified ontransmission. Rewriting packet addresses allows sending and receivingendpoint systems to obfuscate the true endpoints for the packet.

Choices made in the creation of phantom addresses can have significantconsequences. As a FROM:TO pair, they create a communication channelallowing receiving endpoint systems to immediately judge certain factsabout the packet, ranging from security knowledge to detection of roguepackets. In particular, any packet sent to an endpoint system's phantomaddresses from a source other than an endpoint system will be detectedas a rogue packet with a certainty greater than 99.999999906867742538%merely by header inspection. This means that the endpoint system canreliably detect and reject DOS and DDOS packet floods directed to itsphantom addresses at its input line rate.

The restriction in the previous paragraph—i.e., ‘directed to its phantomaddresses’—is not as restrictive as it may appear. By placing anendpoint system at the Internet- or WAN-facing edge of local areanetworks and operating the endpoint system in invisible mode withoutpass-through of non-Endpoint data, an entire data center or range of IPconnections becomes protected from DOS/DDOS attacks. In this mode, alldata destined for any device on the device-side of the endpoint systemis processed by, and therefore addressed to, the endpoint system.Accordingly, because phantom headers handled implicitly at theedge-to-Endpoint interface, phantom headers are free to use the fullrange of local subnet addresses. This is a configuration option.

In this illustrative embodiment, endpoint systems A 150 and B 180securely and privately communicate with each other and other endpointsystems through “internal channels.” In step 314 (FIG. 3 ), endpointsystem A 150 pads the data payload of the subject sub-packet to fill thepredetermined packet size of the sub-packet. In addition, endpointsystem A 150 can insert other data into the data payload of a givensub-packet in manners described below. While endpoint system A 150 caninsert random data into the sub-packet and endpoint system B 180 candisregard that random data, endpoint system A 150 can alternative insertdata to communicate to endpoint system B 180. Inserting such dataintended to be communicated to endpoint system B 180 by insertion intosub-packets sent in step 322 constitutes a virtual communicationschannel that is sometimes referred to herein as an “internal channel.”The message can be spread across (i) multiple sub-packets of a givendevice packet, i.e., from any of devices 111-119, (ii) sub-packets ofmultiple device packets from multiple devices, and (iii) generally anysub-packets sent to endpoint system B 180 by any performance of thesteps of logic flow diagram 204. Internal channels allow endpoint systemA 150 and endpoint system B 180 to share any information that they mustshare to perform the secure data transmission described herein.

Merely inserting bits of an internal message from endpoint system A 150to endpoint system B 180 to fill sub-packets provides a significant datastream. For example, a 10 mbyte/sec data connection with 64 kb packetsspread to 256 streams can convey ˜23.9 kb/second via the final-byteinternal channel. There are additional circumstances explainedsubsequently that expand the rate of transport for the internalchannels.

Quality of Service Adversarial traffic analysis is further frustrated bya break in the direct relationship between (i) the size and timing of apacket arriving at the device-side of an endpoint system and (ii) theaggregate size and timing of packets leaving the network-side of theendpoint system. In this illustrative embodiment, endpoint systems A 150and B 180 break this direct relationship in at least two ways: qualityof service (QoS) manipulation as described here and interjection ofbackground data described below.

The term, “quality of service”, is well known in networking protocols asa means of promoting rate and latency sensitive data packets over lesstime-sensitive packets. QoS is generally considered to be a means forsuperior communication, where greater QoS is a mechanism to gettime-sensitive data, such as voice or video data, delivered reliably andon time. Generally, to reduce latency, all data travels with QoS set ashigh as the data's urgency allows. Contrary to this conventionalthinking, endpoint systems A 150 and B 180 select a lower than necessaryQoS to slow packet throughput, in effect choosing perverse throughput.For example, choosing an unnecessarily low quality of service is a wayto request high latency, low data rate perverse throughput for a packet,for any packets to or from specific addresses, or for all packets.

In conventional thinking, it would seem undesirable to seek lessenedQoS. However, perverse throughput is desirable in the context ofendpoint systems A 150 and B 180 for many reasons. For example, if anendpoint system is handling low-latency transactional data andlatency-tolerant bulk data, such as backup images, bulk email, and othersuch items, it is beneficial to request the worst acceptable QoS for thelatency tolerant data so as to spread such data temporally to thegreatest acceptable degree. Such temporal stretching of the transmissionof sub-packets reduces the temporal correlation between thosesub-packets and the device-side packet from which they were made.

One of the benefits of perverse throughput is breaking the link betweenbursty input and bursty output. If that data has low QoS, transmissionof this data can be spread over seconds, minutes, or even hours. Thisgreatly frustrates traffic analysis by adversaries. In addition, ratherthan simply holding and slowly sending low QoS packets, the endpointsystem A 150 can exploit the internal channels for such communicationswherever possible. In this way, multiple, independent data streams arecommingled temporally before final stream encryption, greatlyfrustrating known attacks on block cipher systems.

Slowing the rate at which packets are sent through WAN 170 by endpointsystem A 150 makes it more difficult for an adversary to recognize thosepackets as related to one another, breaking the direct relationshipbetween the rate at which data is received from the device side ofendpoint system A 150 and the rate at which data leaves endpoint systemA 150 for transmission through WAN 170.

Bit Insertion Expanding on the commingling of multiple independent datastreams, each endpoint system can randomly insert bits from internalchannels, low QoS data, and a shared source of random bits (e.g., sharedrandom data 606) during bit spreading in sub-packet creation. Byinserting additional data into sub-packets formed in steps 310-324,endpoint system A 150 further distorts the relationship between theamount and rate of data received at the device side and the amount andrate of data transmitted through WAN 170 as a result.

The rate of insertion is the exposed control for this action. When theinsertion rate is zero, no bits are inserted other than as describedherein, e.g., to pad the sub-packet to the appropriate size. However,when the insertion rate is greater than zero, randomized bits areinserted at approximately the insertion rate from the queue of availablesources.

Inserting at least one bit per cipher block, which can be the datapayload of one sub-packet, causes half the encrypted bits to change,frustrating any exploitation of data between endpoint systems A 150 andB 180. Insertion of internal or low QoS sources does not increaseoverall data size since such data would have to be transmitted by othermeans otherwise. However; random insertion does increase overall datasize, but strengthens mightily against block cipher attacks. Insertingrandom bits comes at the cost of extra communication. A low rate of1/128 (one bit per 16-byte cipher block) causes a 0.78125% increase indata while a high rate of ⅛ (one bit per byte) represents a 12.5%increase.

A channel's rate of bit insertion can set arbitrarily high—extreme ratesof ⅞ and 127/128 request just one non-random data bit per byte orencryption block, respectively. Within the endpoint system, the use ofextremely high insertion rates is a convenient way to send blocks ofinternal channel and perverse QoS data. Endpoint system A 150 can informendpoint system B 180 by sending a small “ignore me” control packet thatincludes bit insertionrate=length(DesiredData)/(length(DesiredData)+length(ControlPacket)) sothat the desired amount of data will be automatically inserted whilesending the control packet.

Background Data One of the benefits of spread-spectrum in radiotransmissions is the presence of cosmic radiation in the background thathelps disguise the signal. To emulate this advantage, endpoint systems A150 and B 180 can send dummy data packets between one another. The dummypackets, sometimes referred to herein as noise packets, carry noinformation intended to be communicated between the endpoint systems butinstead are sent as decoys to increase the difficulty of adversariesdetecting data traffic between the endpoints.

In an extreme example, endpoint systems A 150 and B 180 send random dataat a chosen rate, likely the link rate, with a 100% duty cycle. Thiswould be an omnipresent stream of noise much like cosmic backgroundradiation. Generated background data is perfectly effective at hidingpresence or absence of substantive packet traffic as one simplysubstitutes traffic for random data as needed. In situations in whichextreme security is needed, such as in military and intelligencecommunity contexts, adding noise packets to use the full bandwidth ofnetwork links, i.e., bandwidth saturation, may be warranted.

Bandwidth saturation has disadvantages. If bandwidth saturation is usedonly when sending data between endpoint systems, this river of data ishighly unusual and thus notable. Adversaries will detect the activityand investigate. In public networks, e-commerce vendors will notice andrespond to such highly unusual activity as an existential threat; suchheavy traffic violates critical presumptions of network provisioning bymobile carriers and network operators. Of course, noise packets can begenerated and sent such that the aggregate data traffic through anendpoint system is less than full bandwidth saturation.

In this illustrative embodiment, endpoint system A 150 generates randombackground data into which substantive data traffic is seamlesslymerged. Unlike a hypothetical universal background data generator, noisedata generation is nuanced to provide enough “cover” fortransmissions—for robust defense against traffic analysis—but in minimalways that frustrate detection of background data generation.

Rate Limits The rate at which endpoint system A 150 generates randombackground data has two configurable limits, the minimum rate and themaximum rate. These rates can be expressed in bits per second or as linkrate proportion. The extreme settings here are min=max=0% for no dynamicgeneration, and min=max=100% for bandwidth saturation. The defaultvalues of min=0, max=100% lets endpoint system A 150 decide for itselfaccording to its configuration and logic.

Rate Selection Data arriving at the device-side of endpoint system A 150defines the amount of data endpoint system A 150 must send. The qualityof service settings for that data, set directly or implied by addressrules, defines the urgency for sending this data. The rate minimizationprocess by endpoint system A 150 is in many ways like power utility peakshedding and load balancing logic. The transmission schedule codifies“must send this many bytes over the next units of time.” This dynamicschedule represents just how busy the network-side links need to be anddoes so in advance whenever perverse QoS is enabled. The presence ofperverse QoS has the effect of moving such traffic away from themandatory peaks of non-perverse traffic.

Endpoint system A 150 stores a history of data arriving from devices111-119 for statistical analysis. Such statistical analysis allowsendpoint system A 150 to anticipate data transmission needs over ahierarchical range of times, e.g., during the next second, 2 seconds, 4seconds, and so on. The integral of this demand over each timescaledefines the least work the device must do and also, sets the basis fordetermining how much noise data to generate.

In determining how much noise data to generate, endpoint system A 150uses the following parameters: rate, scale, and variance. The ratedetermines how slowly or quickly the rate of noise generation ispermitted to change as a function of time. The scale is a multiplier ofhow much more data should be generated than the schedule's peak. Forexample, if statistical analysis by endpoint system A 150 of historicaldata requirements and analysis of data currently received from devices111-119 indicates that as much as 128 kb of substantive data must betransmitted in the next second, a scale of 50% indicates that 64 kb ofnoise data should be generated and intermingled with the substantivedata such that endpoint system A 150 sends a total of 292 kb of dataover the next second. The variance specifies randomizationcharacteristics of the noise to be added at the rate and scalespecified. Endpoint system A 150 also calculates an optimized generationschedule sufficient to clear the “must-send” peaks at all scales, honorthe parameters (particularly the rate of change), and yet be as low aspossible. The optimization generation schedule is asymptotically fit tothe min and max limits, and result is the dynamic rate of backgrounddata generation.

The variance affects the randomization of noise data as follows. Addingnoise data considering the rate alone results in smoothly varyingamounts of noise data under smoothly varying loads. As a result, anadversary might detect this structure as an indication of endpointprocessing, something to which the adversary should turn her attention.To thwart this potential detectability, the further step of jitteringthe rates (in accordance with the variance) is done randomly. As anexample, we might send a little less than needed for half a second, andcompensate with as much more in the other half-second. This does notchange the overall rate but makes it a little noisy. In practice,endpoint system A 150 performs this jittering at many rates, rangingfrom hours to nanoseconds. Endpoint system A 150 implements a selectablerange of time-scales an jitter factors, whose aggregate impact is tomodify the smoothly varying background rate into what appears a randomone. In this illustrative embodiment, endpoint system A 150 makessmaller changes to rates in finer time scales (high frequencies). Inparticular, endpoint system A 150 scales the size of the noise data by1/frequency, which approximates a fractal noise pattern nearly universalin nature and typical systems. This particular mechanism is but one ofmany that can be used.

Rate Shaping Natural network activity does not follow smooth changes intransmission data rates. Accordingly, endpoint system A 150 randomlyperturbs the dynamic rate of background data generation to providepeaks, dips, and gaps in data transmission rates to give the impressionof natural network activity—but without decreasing the integratedtransmission rate. The presence of a large amount of latency-tolerant,perverse-QoS traffic allows the overall rate to be a small, defining anintermittent meandering stream as opposed to an immense river. In thisway, endpoint system A 150 is an effective barrier to traffic analysiswhile remaining subtle and unnoticed amidst other network traffic.

Rate History Historical records of device side data rates and backgrounddata generation rates are kept by endpoint systems A 150 and B 180,e.g., in endpoint security data 522. Such records allow endpoint systemsto adjust the near term minimizing logic of dynamic rate setting basedon longer term behavior. The presumption of such adjustments is thatpast performance is a predictor of future performance, which famously isnot always true. Yet, in cases where endpoint protected devices, e.g.,devices 111-119 and 191-198, have consistent, cyclic, or episodicbehavior, using the lessons of history can be valuable.

Consider an endpoint-protected point of sale (PoS) terminal in a Targetstore communicating with a central server. The PoS terminal will havebursty traffic as each customer's transaction is consummated, short gapsin communication between customers, long gaps when a register isunattended, and very long gaps when the store is closed overnight. Therate history parameter settings are used to control which of such gapsis fully or partially spanned by background data generation. This casealso illustrates the value of negative QoS—allowing a slight delay inthe peak will have a great effect in lowering the historically drivenlevel of data generation to a fair approximation of cosmic backgroundradiation.

Transmission Control—Dynamic Spreading Up to this point, the number ofchannels across which data is spread by the endpoint system, e.g.,determined in step 308, has been described as a free variable, S. Thechoice of S is arbitrary and has no effect on transmission andreconstruction. Larger values cause more overhead, but, they alsogreatly increase the necessary effort of an adversary and any overheadincreases likewise increase internal channel bandwidth.

One implication of narrower vs. wider spreading is the size of resultingoutput packets. For example, 64 kb packets spread 32 ways results in 2kb output packets, while the same input size spread 1024 ways results in64 byte packets. Because the output packet size can have an impact ontransmission efficiency, endpoint system A 150 sets the desired size ofoutput packets in an alternative embodiment and uses the desired packetsize value to dynamically set the spreading factor of each input packet,using:

spread=Floor((length(packet)+desiredSize−1)/desiredSize)   (6)

Setting desiredSize in equation (6) to 8 kb causes 64 kb packets to bespread by a factor, S, of 8. However, a 4 kb input packet with an 8 kbdesiredSize setting will still result in a 4 kb output packet. It shouldbe appreciated that this size is independent of actual transmissionframe sizes and considerations of normal and jumbo frames.

In above description regarding Multiple Streams, it was mentioned thatendpoint system A 150 can aggregate packets before sending and separatepackets after receipt. When a desired spread factor, S, results inpackets smaller than desiredSize, endpoint system A 150 can aggregatepackets in that manner. In this situation, endpoint system A 150determines a logical spread factor—e.g., four (4) times the naturalspread factor defined by the desired output packet size and mergesgroups of four (4) logical packets to make physical packets of thedesired size.

A third output shaping choice is for exact packet sizes. In this case,endpoint system A 150 distributes the bits to packets of the desiredsize and packs each with random bits to fill out the packets.

Transmission Ordering The simplified, synchronous description ofendpoint processing presented previously, has packets received, spreador unspread, and resulting packets implicitly transmitted in order ofarrival. Endpoint system A 150, however, does this processingasynchronously—packets are received, spread or unspread, encrypted ordecrypted, and transmitted concurrently. This means that multiplepackets can be ready at the time of a transmission.

In “Riffle, An Efficient Communication System With Strong Anonymity”[Proceedings on Privacy Enhancing Technologies 2016; 2016 (2):1-20],authors Kwon, Lazar, Devadas, and Ford analyze the privacy advantages ofgathering packets over an extended time interval and then releasing thecollected packets in a shuffled order. (Thus the name ‘riffle.’) Whiletheir research is in the context of strong anonymity networks formicroblogging, file sharing, and communication, we have found theconcept of transmission order randomization at nodes in a communicationfabric to be useful in endpoint processing.

In this illustrative embodiment, endpoint systems A 150 and B 180shuffle the order of packets gathered and pending transmission asallowed by quality of service settings. Endpoint systems A 150 and B 180can also gather packets over a longer interval to shuffle an expandedcollection for the benefits reported in Kwon et al. but at the cost ofadded latency. In this embodiment, shuffling among pending packets doesnot increase latency and is therefore the default behavior of endpointsystems A 150 and B 180. As in Kwon, the notion of gathering pendingpackets over an extended interval for enhanced reduction of inbound andoutbound channel affinity comes at the cost of latency. TheextraDelayTime parameter, which specifies an amount of time an endpointsystem waits to gather additional packets to shuffle, defaults to zerofor this reason. The natural delay time allowed by quality of servicecan also be scaled as desired.

Packet Filtering Endpoint systems A 150 and B 180 can encounter bothplain and special packets. As used herein, “special” packets are packetsaddressed to the endpoint system directly (in the visible mode) orpackets passing through for an address or address range recognized asbeing behind an endpoint system (in the invisible mode). Generally, anypacket processed by endpoint system A 150 in the manner described aboveis a special packet. A plain packet is any packet which is not special.Depending on the placement of endpoint systems within a networktopology, the filtering of plain packets can be desirable.

Pass through: The default configuration of endpoint systems A 150 and B180 is to pass plain packets through the endpoint system unchanged. Inpassing plain packets through, endpoint systems A 150 and B 180 can actas ordinary, conventional network nodes in addition to providing securecommunications in the manner described herein. It is this mode thatallows endpoint systems to be invisibly added to an existing generalnetwork.

Blocking: In a most-secure and most-private configuration, an endpointsystem can be configured to block plain packets. For example, ifendpoint systems A 150 and B 180 are so configured and know only of eachother and no other endpoint systems and devices 111-119 and 191-198 haveno connection to WAN 170 other than through endpoint systems A 150 and B180, total communication privacy exists between endpoint systems A 150and B 180. In particular, no other network device could reach, or bereached from, them—as if they are hardwired on their own network. Thissame assurance is conferred to an entire LAN by interposing an endpointsystem between the LAN's edge and its WAN link. In mesh configurations,this creates a “virtual air-gap wide area network.”

Forwarding In some configurations, imposing the secure air-gap mentalityon a computing environment is too strict as communication withdestinations other than an endpoint system is necessary. While externalnetwork switches can be used to route plain packets away from endpointsystems, it can also be helpful for the endpoint systems to forwardplain packets as a service—to a firewall, to a security device, orelsewhere.

Key Distribution and System Configuration In this illustrativeembodiment, endpoint systems A 150 and B 180 are managed devices, withvarious compatible mechanisms to allow encryption keys and operatingmodes to be configured as desired. However, such out of band managementis not the only choice given internal channels between endpoint systems.Use of in band control is a choice as well.

An important use of in-band management is in secure Internet of Things(IoT) applications. Examples of highly sensitive IoT devices include anaircraft engine, an implanted medical device, and a sensor on the seafloor. In such highly sensitive applications, the logic of endpointsystem A 150 described herein can be implemented directly within an IoTdevice. The ability to reliably control such devices is critical and,for this reason, endpoint systems A 150 and B 180 support in-bandcommunication for key distribution, system configuration, and softwareupdates.

Endpoint Pairing Device pairing provides additional security andreliability in endpoint systems such as endpoint systems A 150 and B180. In this illustrative embodiment, pairing includes tight logicalbonding of two endpoint systems from first contact through growth overtime and shared experience. Such pairing provides a number ofadvantages, including improved ability to detect changes at a distantendpoint system, such as a replaced or modified endpoint system,adversarial introduction of an interstitial endpoint system, or thereplay of past traffic between the paired devices. Another advantage isimproved protection against an adversary with access to device passwordsor device details.

The pairing implementation uses data stored in an endpoint system foreach of its peer endpoint systems—see, e.g., shared random data 606(FIG. 6 ). Shared random data 606 is block of random bytes, generatedmutually, encrypted, shared through an internal channel with extreme bitinsertion rates, updated carefully, and known only by the pair ofendpoint systems. During the packet processing described herein,endpoint system A 150 uses these bytes to perturb packet processing invarious ways, though never to change the defined keys or validatedencryption mechanisms. The arena of effect is between the inner andouter encryptions (e.g., in steps 310 and 412), where streaminterdependence computations, bit spreading, bit insertion, and othersteps are specialized based on the pair's private shared data.

During initial pairing, endpoint systems A 150 and B 180 cooperate tocreate identical copies of shared random data 606. In addition, endpointsystems A 150 and B 180 both modify shared random data 606 over time inidentical ways such that shared random data 606 changes over time butremains identical in both of the paired endpoint systems. For example,each time endpoint systems A 150 and B 180 exchange data, e.g., in themanner described above with respect to FIGS. 2-4 , both endpoint systemsA 150 and B 180 can use the contents or other details of the dataexchange to modify both copies of shared random data 606. Thus, thepairing of endpoint systems A 150 and B 180, as represented by sharedrandom data 606, grows over time with experience shared by endpointsystems A 150 and B 180.

Use of shared random data 606 between outer (step 306) and inner (step318) encryption is a subtle choice of placement. By doing pair-dependentprocessing here, endpoint systems A 150 and B 180 still have thetransmission and key validation of the Galois Counter Mode whenperforming the inner decryption. If the outer decryption (step 414)fails after specialized packet processing (after inner decryption instep 408), then it can be assumed that the sending endpoint system isabnormal—a different endpoint system than expected with either adifferent outer key/nonce pair or with different shared random data 606.If retrying with older versions of shared random data 606 is successful,we know when we face a replay attack and can often bracket the time ofits origin. By retrying the packet processing with the initialpre-paired configuration, successful outer decryption means the distantendpoint system, e.g., endpoint system B 180, has been replaced with anew one, or that a new one has been inserted between the pair—and thatit has the right keys. As in packet filtering, endpoint system A 150 hasa choice to make in this situation: reset to accept a new endpointsystem or reject, refusing to recognize a new endpoint system.

Reset—In the reset case, endpoint system A 150 simply resets its sharedrandom data 606 to the default and continues without note. This behavioris friendly to hardware changes in the field and is just as safe as isthe privacy of the keys, for this is what endpoint system A 150 reliesupon. Endpoint system A 150 can be configured to perform this resetsilently or to record a log of this activity, and also to notify anexternal security system for awareness.

Reject—To reject a distant endpoint system based on loss of sharedrandom data 606 is the security goal of pairing. In this mode, endpointsystem A 150 immediately stops communicating with the other endpoint,e.g., endpoint system B 180. The rejection can be silent or logged asdescribed with resetting shared random data 606, and is intended toreport an alarm to an external security system.

A significant further reason for pairing of endpoint systems is the callfor post-quantum cryptography by the National Institute of Standards andTechnology (NIST) and other concerned entities. In security researchcircles, this quest has been framed as a strengthening of public keycryptography, symmetric key cryptography, and secure hash functionsagainst unbounded computation. Since the basis of modern cryptography isthe scarcity of adversarial computation, the quantum specter poses alooming existential crisis.

One might ask: “What is unchanged by boundless computation?” Ourconsidered answer is, the arrow of time, that is the notion of past andfuture and the inaccessibility of the past. From this came the idea touse prior keys and traffic, in some form, as the encryption key. Thisapproach is in the spirit of Cipher Block Chaining in DES, the use ofGalois Counter Mode in AES, of Perfect Forward Privacy in TLS, and thepaired action at a distance of Adaptive Delta Pulse Code Modulation(ADPCM) and Arithmetic Coding.

Each endpoint system pair knows the keys they have both used, thetraffic they have both seen, and the pairing data they have communicatedprivately. This is the basis of the transformation perturbation datablock built via secure hashing with SHA-256/512 and SHA3-256/512. Sincepairing adjustments include differentiated bit insertion, since alladjustments are between two strong cipher systems, and with theadjustments constantly changing, there is no known plaintext attack onthe inner encryption—the one whose output is exposed to the outsidenetwork. An attack on the entire endpoint system thus means a key spaceattack on the encryption at both ends (2×128/256 bits) and the verylarge pair state (≥1024 bits). Even if computable by quantum effort, itwould be ineffective, because the pair state as represented by sharedrandom data 606 changes during physical operation of endpoint systems A150 and B 180.

Use of shared random data 606 in the manner described herein is quantumresistant in part because the arrow of time denies even an adversarywith boundless computation the ability to go backward through time torecreate the relationship of endpoint systems, because the changing ofshared random data 606 prevents sufficient work in a static key state todevelop insight into the aggregate cryptosystem (both how shared randomdata 606 is used and how it changes over time), and further, becausedynamic pairing data means (as would a one-time pad) that any success byan adversary would be fleeting, and betray nothing about communicationsprior or since, nor aid in future attacks. In effect, the armor againstquantum cryptography is the entanglement of endpoint systems.

Packet Forwarding As described above, endpoint systems such as endpointsystems A 150 and B 180 route sub-packets to other endpoint systemsusing phantom addresses, e.g., IP addresses 608 (FIG. 6 ). Security canbe further enhanced by sending those output sub-packets to an endpointsystem other than the intended destination, with the instruction toforward the sub-packet to the true destination or to further forward thepacket randomly or deterministically. For example, sub-packets intendedfor endpoint system B 180 can be sent instead to endpoint system A 150with instructions to forward the sub-packet to endpoint system B 180,either directly or through one or more other endpoint systems.

In this illustrative embodiment, this same sub-packet ultimatelydestined for endpoint system B 180 can be further forwarded by endpointsystem B 180 to other endpoint systems. Such helps disguise the truedestination of the sub-packet. Using a time-to-live attribute, thesub-packet is ultimately dropped by some subsequent forwardeddestination.

This routing of sub-packets could create a Tor-like anonymity network,but in endpoint security logic 520. All that is needed is to allowcommunications between endpoint systems A 150 and B 180 to involve atleast one other endpoint system. Even a single packet forwarded this waymeans that an adversary must get all traffic from either end of thelink—traffic from every connection—to have any hope of informationexploitation. This forwarding means total latency will likely begreater, increases the risk transmission failure, and increases overalldata traffic. Yet, the benefit can be valuable for both privacy andsecurity, and can be enabled and controlled as desired.

While this invention has been described in terms of several embodiments,there are alterations, modifications, permutations, and substituteequivalents, which fall within the scope of this invention. Althoughsub-section titles have been provided to aid in the description of theinvention, these titles are merely illustrative and are not intended tolimit the scope of the present invention.

It should also be noted that there are many alternative ways ofimplementing the methods and apparatuses of the present invention. It istherefore intended that the following appended claims be interpreted asincluding all such alterations, modifications, permutations, andsubstitute equivalents as fall within the true spirit and scope of thepresent invention.

What is claimed is:
 1. A computer readable medium useful in associationwith a computer which includes one or more processors and a memory, thecomputer readable medium including computer instructions which areconfigured to cause the computer, by execution of the computerinstructions in the one or more processors from the memory, to enhancefortified private communications between a source device and adestination device by at least: receiving a data packet from the sourcedevice, wherein the data packet includes header address data thataddresses the data packet to the destination device; fragmenting thedata packet into at least two packet fragments, wherein the packetfragments collectively represent the entirety of the data packet;encrypting the at least two packet fragments to produce encrypted packetfragments; and sending the encrypted packet fragments to the destinationdevice using a distinct, respective one of multiple destinationaddresses associated with the destination device.
 2. The computerreadable medium of claim 1 wherein the computer instructions areconfigured to cause the computer to enhance fortified privatecommunications between a source device and a destination device by atleast also: encrypting the data packet to form an encrypted data packet;and wherein fragmenting comprises fragmenting the encrypted data packetinto the packet fragments.
 3. The computer readable medium of claim 1wherein fragmenting comprises: adding interjected data to the packetfragments wherein the interjected data is unrelated to, and independentof, the data packet.
 4. The computer readable medium of claim 3 whereinthe interjected data is randomized data shared between a source endpointsystem associated with the source device and a destination endpointsystem associated with the destination device.
 5. The computer readablemedium of claim 3 wherein the interjected data collectively representsdata to be communicated from a source endpoint system associated withthe source device to a destination endpoint system associated with thedestination device.
 6. The computer readable medium of claim 1 whereinfragmenting comprises: determining a number of packet fragments intowhich to fragment the data packet using one or more selected from agroup consisting essentially of a minimum size of the packet fragments,a maximum size of the packet fragments, and a desired size of the packetfragments.
 7. The computer readable medium of claim 1 wherein sendingcomprises sending at least one of the encrypted packet fragments throughat least one untrusted data communications channel.
 8. The computerreadable medium of claim 1 wherein sending comprises generating one ormore noise data packets that are independent of the substantive contentof the data packet and sending the noise data packets to one or more ofthe destination addresses.
 9. A computer readable medium useful inassociation with a computer which includes one or more processors and amemory, the computer readable medium including computer instructionswhich are configured to cause the computer, by execution of the computerinstructions in the one or more processors from the memory, to enhancefortified private communications between a source device and adestination device by at least: receiving two or more data packets, eachof which is addressed to one of multiple destination addressesassociated with the destination device; decrypting the data packets toform two or more decrypted data packets; combining the decrypted datapackets to form a reconstructed data packet; and sending thereconstructed data packet to the destination device.
 10. The computerreadable medium of claim 9 wherein sending comprises: decrypting thereconstructed data packet to form a decrypted reconstructed data packet;and sending the decrypted reconstructed data packet to the destinationdevice.
 11. The computer readable medium of claim 9 wherein combiningcomprises: identifying and discarding interjected data from the datapackets wherein the interjected data is unrelated to, and independentof, the reconstructed data packet.
 12. The computer readable medium ofclaim 11 wherein the interjected data is randomized data shared betweena source endpoint system associated with the source device and adestination endpoint system associated with the destination device. 13.The computer readable medium of claim 11 wherein the interjected datacollectively represents data to be communicated from a source endpointsystem associated with the source device to a destination endpointsystem associated with the destination device.
 14. The computer readablemedium of claim 9 wherein sending comprises sending at least one of theencrypted packet fragments through at least one untrusted datacommunications channel.